pebble icon indicating copy to clipboard operation
pebble copied to clipboard

Published 20 hours ago verified publisher icon letsencrypt

Configuration parameter for certificate lifetime.

Open cpu opened this issue 4 years ago • 1 comments

Boulder allows configuration of issued end entity certificate lifetime. Pebble presently hard-codes it: https://github.com/letsencrypt/pebble/blob/0abe0523af6f711c2f4c4a29a3a9a5f91aa9282e/ca/ca.go#L197

RFC 8555 7.5 specifies that a new order request may have optional notBefore and notAfter fields as one way to have configurable certificate lifetimes. I'm not keen on implementing this in Pebble because I feel like it was a specification mistake to give server's no ability to adjust the requested dates (e.g. to back date). It's extremely unlikely we would implement processing of these order fields in Boulder, even if we allowed shorter certificate lifetimes.

Rather than implement the notBefore/notAfter fields of RFC 8555 I think Pebble should follow Boulder's lead and make the static certificate lifetime configurable in the Pebble config file loaded at startup. This is a simple solution that would meet the needs of developer requests like this.

cpu avatar Jul 11 '19 14:07 cpu

this feature would have made this past week much easier on me ;)

if this happens, could it please share the same config name as boulder?

jvanasco avatar Jan 30 '20 05:01 jvanasco

As this is still an open issue for more than 2 years. Is there another approach of locally testing/developing the let's encrypt issuing and renewal mechanisms without waiting days for the expiry?

I know I can clone this repo and modify the hardcoded value, but I have the feeling maybe pebble was built for a different use case and I am using it for the wrong purpose.

My use case is to locally develop and test (manually and automatically) a docker-compose based certbot system and certmanager based k8s setups.

Thx for any hints.

ceelian avatar Dec 20 '22 23:12 ceelian

FWIW, inspecting the code I found the "CertificateValidityPeriod" config variable! I don't know how long it's been there, I didn't see it in the information on the site (and that's why I got to this issue). But it works. You can define a value in seconds:

"certificateValidityPeriod": 259200,

and your certificates will last only for 3 days!

huguei avatar Oct 18 '23 16:10 huguei

@huguei August 2021. See https://github.com/letsencrypt/pebble/pull/361 and https://github.com/letsencrypt/pebble/commit/7d978476390154012fc67980a766b954e8572823

jvanasco avatar Oct 18 '23 16:10 jvanasco